Create Self-Signed Certificates for HSM

About this task

Use the manageKeyCerts -create command to create a self-signed key certificate. Stop CM before you run this command.

Consider the following before you use this command:

  • If the engine parameter is defined, a certificate is created on the HSM configured for that engine. If a netHSM is used and multiple engines access the netHSM, any of the engines can be specified to create the certificate on the HSM.
  • If the engine uses a PCI module and it cannot be accessed by other engines, group the key certificates for that engine in a separate system certificate store. Those key certificates cannot be shared with other engines.
  • If the engine parameter is not defined, and HSM support is enabled on CM, the key certificate is created on the HSM configured for CM. Make sure that engines that use this key certificate can access the HSM enabled for CM.
  • If the engine parameter is not defined and HSM support is not enabled on CM, the key certificate is created on the Secure Proxy system certificate keystore.

To create a self-signed key certificate, type the following command:

manageKeyCerts -create [parameters]

Following are the parameters used to create a key certificate:

Parameter

Description

certName

Name of the key certificate on Secure Proxy. Required.

certStore

Name of the system certificate store where the key certificate will be stored. This field is optional. If the store does not exist, it is created. Default=dfltKeyStore.

engine

Name of the engine with access to the HSM. Optional.

alias

Alias for the key certificate on the HSM. Optional.

If no value is defined, the alias defaults to certificate name.

keySize

Key size of the file to create. Valid values = 1024 | 2048 | 4096. Default=1024.

CN

Certificate common name. Required.

If the name contains spaces, enclose the command and string in double quotes, for example "CN=my name".

email

E-mail address. Optional.

O

Organization. Optional. If the value contains spaces, enclose the command in double quotes, for example, "O=my org".

OU

Organization unit. Optional. Repeat this parameter to specify more than one organization unit. If the value contains spaces, enclose the command in double quotes, for example, "OU=my unit".

L

Location (city). Optional.

If the value contains spaces, enclose the command in double quotes, for example, "L=my location".

ST

State. Optional.

If the value contains spaces, enclose the command in double quotes, for example, "ST=my state".

C

Two letter country code. Optional.

daysValid

How many days the key certificate is valid. Optional. Default=365.

serial

Serial number for the key certificate. Optional. Default=1.

certSignBit

Whether to set the certificate signing bit on in the key usage flags. Valid values = n | y| false | true. Default=n.

replace

Whether to replace a key certificate if a certificate with the same name already exists in the Secure Proxy system certificate store. Optional. Valid values = false | true. Default=false.

systempass

Passphrase for CM.

adminid

Administrator ID. Optional. Prompts if not defined.

adminpass

Administrator password. Optional. Prompts if not defined.

keystorepass

Keystore password. Optional. Prompts if not defined.

For Safenet, the user PIN for the slot used by Secure Proxy.

For Thales, the passphrase for the operator smart card that will be used to protect the key. The card must be inserted in the module's card reader.

keypass

Passphrase for the key in the keystore. Optional. Prompts if not defined.

For Safenet, this parameter can be anything and will be ignored.

For Thales, this must be the same value as the keystore password.